Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Botnet Government Crime EU Security United Kingdom United States

The FBI Is Arresting People Who Rent DDoS Botnets (bleepingcomputer.com) 212

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.

Most of the other suspects arrested were under the age of 20.
This discussion has been archived. No new comments can be posted.

The FBI Is Arresting People Who Rent DDoS Botnets

Comments Filter:
  • by SirSlud ( 67381 ) on Sunday December 18, 2016 @04:55PM (#53509911) Homepage

    A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

    • by Ol Olsoc ( 1175323 ) on Sunday December 18, 2016 @05:05PM (#53509953)

      A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

      A couple years is significant, although in the US it seems everyone wants everyone executed for anything. Of course we'd all be dead.

      I wonder if we should start teaching civics again in schools. Seems a freaking CS graduate should know better, both socially and technically.

      • by ebvwfbw ( 864834 )

        I wonder if we should start teaching civics again in schools.

        No question about it. That's far better than the liberal BS they replaced it with.

    • by wonkey_monkey ( 2592601 ) on Sunday December 18, 2016 @05:06PM (#53509959) Homepage

      now facing up to 10 years in prison and/or a fine of up to $250,000.

      Doesn't mean he's going to get exactly that.

      • Those don't matter as much as the long term effects for a young CS graduate.

        • by Gojira Shipi-Taro ( 465802 ) on Sunday December 18, 2016 @09:08PM (#53511177) Homepage

          Then perhaps NOT DOING THAT would be a good decision.

          "It was just a prank, bro" isn't a valid defense. Ever.

          • Fuck valid defense.

            I was 26, 45 years ago.

            I'm an expert at doing stupid shit.

            I just never got caught.

            He'll grow up.

            • by Anonymous Coward

              You didn't get caught that's the problem.... it's not an excuse.

              I for one would like to see you discovered and punished appropriately (ok maybe a bit more than appropriate would be nice)

              The world would have 1 less asshole and be less full of shit.

            • by Gojira Shipi-Taro ( 465802 ) on Sunday December 18, 2016 @11:53PM (#53511805) Homepage

              Good for you?

              Actions, even mistakes, have consequences.

              It affects other people, so it's not harmless.

              He'll grow up, but he'll have to suffer the consequences of his own actions and decisions.

              I personally managed to never do stupid shit that happened to be a felony. Because you know, I understand the whole consequences thing.

              Congratulations for getting away with it, I guess.

              • by AmiMoJo ( 196126 )

                In EU countries stuff like this is eventually considered "spent", in that you don't have to tell employers or banks about it. The police keep a permanent record but it won't screw up your life forever.

              • by Wulf2k ( 4703573 )

                > I personally managed to never do stupid shit that happened to be a felony.

                I guarantee that you have, especially if you do anything computer related.

                Have you ever sat down at somebody's computer and tried to help them figure out why something on a remote site didn't work? CFAA violation if they were logged in with their own credentials. Unauthorized use of blahblahblah.

                Now, go be a stupid kid doing stupid kid stuff in the legal minefield of the internet these days.

                May as well just execute this generat

            • prisons are full of people that did stupid shit when they were young, Murder, Rape, assault, theft. Just because you committed felonies and got away with it and realised later it was dumb doesn't mean everyone under 30 now gets a free pass. It is bad enough the free passes given out to most teenagers.
            • Renting a botnet to DoS a site isn't just "stupid shit", this should have consequences.

              • by Wulf2k ( 4703573 )

                It is "stupid shit" compared to the sentence he'll get for it.

                He'd have been better off committing a violent crime.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

      It's nice to know you've made that decision based on knowing all the facts of the case contained in a slashdot summary.

      Jail is serious. Even the threat of jail can cause reform. He is facing ten years but depending on how much damage the attack actually did, they should let him plead it down to much less, especially if he's a first-time offender. Someone out early on probation who knows that they're going away for five years if they screw up can be more useful to society and more likely to reform than someo

      • by Cederic ( 9623 )

        they should let him plead it down to much less

        Why, so that they get a guilty plea and don't have to actually find, assess and present evidence?

        "Plead guilty and we'll only give you two years, or we'll be pushing for the full ten and a fine that you'll be working for another 8 years to pay off."

        This isn't justice.

        • by ColdWetDog ( 752185 ) on Sunday December 18, 2016 @06:04PM (#53510301) Homepage

          You only get justice if you can afford it.

          It's the American way.

          • Hi there, I don't have any comment on this argument, but your sig rubbed me the wrong way. I BELIEVE the phrase "pipe dream" is a reference to opium, not hallucinogens. Opium users nod out into a dreamy state, I've seen one picture from China Town in SF in the early 1900's of an opium cart that says "Dreams $5" or something like that... anyway, carry on.
        • >Why, so that they get a guilty plea and don't have to actually find, assess and present evidence?

          That's not 'completely' true. The DA has to present the plea deal to a judge (in theory the same judge that you would have your trial in front of) and the judge tell the DA the plea is not accepted because of lack of evidence and that it must be brought to trial.

      • by Dutch Gun ( 899105 ) on Sunday December 18, 2016 @06:16PM (#53510371)

        Given that the estimated damage was $5000, I'd hope he just gets a rather stiff fine (maybe five to ten times the estimated damages). There's no need for him to be in prison, as he's not a danger to society, although he does need to be punished. The greater value is in letting people know they can't get away with hiring these services without consequences.

        For people wishing for law enforcement to go after the botnets themselves, we just had a story from a week ago about international law enforcement removing a very large botnet. They seem to be attacking the problem from both ends, which seems like a reasonable approach.

        Now we just need to figure out how to secure all these damned routers and IoT devices so they can't be used as botnets so easily. This wouldn't be nearly so much a problem if the fruit wasn't quite so low-hanging.

        • Comment removed based on user account deletion
        • While going after botnets should be part of the plan. Going after those who hire the botnets also needs to be part of the equation. Botnets need to be attacked from both ends, both those who create them and those who use them, a botnet that never does anything wrong isn't really a problem, it could be used as a distributed computer to process complex problems with all those wasted processor cycles out there on IoT enabled devices. Only if used for DDOS or similar attacks do they become problematic. If n
        • by AmiMoJo ( 196126 )

          Prison is completely unsuitable for a first offence of this nature. It won't provide him with the skills to live a reformed life afterwards, he already has those it seems. A fine seems like the best option, because he could keep his career going and build a life to move past what he did and be a productive contributor to society, but still be punished and deterred from doing it again.

        • by TWX ( 665546 )

          Now we just need to figure out how to secure all these damned routers and IoT devices so they can't be used as botnets so easily. This wouldn't be nearly so much a problem if the fruit wasn't quite so low-hanging.

          Stronger product liability laws and rulings against manufacturers or distributors would probably be a good start. Make the source responsible for the ability to compromise the device, with financial penalities based on install base when vulnerabilities are not discovered. Use the recall process like most other products are subject to as well.

          If it hurts their bottom lines, companies will actually start paying attention to security.

      • Re: (Score:3, Insightful)

        by Dahamma ( 304068 )

        Jail is serious.

        So it depriving a business of their livelihood. Someone walking into a store with a gun and robbing the cash register does a LOT less financial damage than these A-holes, but no one argues that armed robbers should be let off with a warning.

        That said, I agree that no 18 year old should get multiple years in jail for a first time computer crime that didn't cause human harm. But there needs to be some SERIOUS repercussion, possibly including some (brief) jail time or everyone is going to think you get one g

        • I'd say a better analogy would be burglary instead of armed robbery, as threatening someone with a gun is serious because of the implied threat to human life. Also, it's a bit strange that he supposedly brought down this chat site for two months, yet damages are valued at $5000. One can only draw the conclusion that this was not a large, money-making operation.

          I'm not making light of this, but this was the equivalent of some small time burglary or shoplifting, not some masterful hack bringing down million

          • by Dahamma ( 304068 )

            I'd say a better analogy would be burglary instead of armed robbery, as threatening someone with a gun is serious because of the implied threat to human life. Also, it's a bit strange that he supposedly brought down this chat site for two months, yet damages are valued at $5000. One can only draw the conclusion that this was not a large, money-making operation.

            Ok, sure. Felony burglary can get you 10-20 years in many states. Though it usually doesn't unless there are other circumstances. Still, breaking into someone's house and stealing $5000 is most definitely a felony (if the state wants to prosecute it as such). I'm just saying if you are going to give a black teenager 3 years for felony burglary, give a white teenager the same sentence for felony computer hacking. Or decide neither is worth that.

            • I'm just saying if you are going to give a black teenager 3 years for felony burglary, give a white teenager the same sentence for felony computer hacking. Or decide neither is worth that.

              In my jurisdiction, at least, they don't. Black teenage burglars get time served and probation. We've got some local criminals who've gotten arrested literally ninety-plus times, and still can't get the judge to put them in actual prison for any significant length of time.

              • by Dahamma ( 304068 )

                Anecdotes are useless in this case. And why should I even believe you have any idea what the real stats are? I prefer to trust actual research...

                http://www.nytimes.com/2016/12... [nytimes.com]

                • I didn't say black burglars weren't getting treated more harshly (i.e., unfairly) than white burglars, just that they were getting time served and probation instead of three years in prison. It's hard to tell though, because there aren't any white burglars around here to begin with (or maybe there are, but they don't even get arrested).

        • by Megol ( 3135005 )

          IMHO: Someone robbing a place at gunpoint should be sentenced to attempted murder, OTOH I think people that attempt to kill someone should be sentenced as if they succeeded.

        • by SirSlud ( 67381 )

          Ah yes, money is more important than the threat of physical violence.

    • A couple of years sounds good to me.

      Keep in mind that "a couple of years" has a tremendous lifetime impact. The problem is that any crime that carries a maximum sentence of one year or more is a felony. Felonies dog you for life, and in many cases make you unemployable in your chosen profession.

  • by freeze128 ( 544774 ) on Sunday December 18, 2016 @05:09PM (#53509973)
    If you can rent botnets, then maybe that would be useful to large corporations who do not want to be DDOSed. They rent the botnet, then don't use it. That way, those millions of bots aren't being used to attack their site.
    • It could be useful. But the bots are still going to be hijacked PCs. Still breaking the law by using other peoples devices without their consent.
      • Still breaking the law by using other peoples devices without their consent.

        The question here is, is it still breaking the law by NOT using other peoples devices without their consent?

    • by ls671 ( 1122017 )

      Great idea! It seems legit. So, we will me setting multiple botnets shortly to take advantage of this great market opportunity. Shouldn't cost much either since the bots will never be used!

      Thanks you!

    • If you can rent botnets, then maybe that would be useful to large corporations who do not want to be DDOSed. They rent the botnet, then don't use it. That way, those millions of bots aren't being used to attack their site.

      Yes, I'm sure the people who control these botnets would not notice they weren't being used; or would notice but feel bound by their sense of ethics to not take advantage and simultaneously rent the botnet to someone else.

    • by v1 ( 525388 )

      that's not how botnets generally work. They're more like timehare services, and typically you can even get time on just a specific number of machines at a time - you pay by the hour by the cpu time. So if you rent a botnet and don't use it, you're just throwing your money away and someone else will use your time and pay for it too, making the bot herder more money.

      This article is a little surprising in that it sounds like the FBI going after these people is a *new* thing. I thought it was part of their ma

    • So essentially pay a permanent bribe to not be attacked.
    • by Dahamma ( 304068 )

      Sounds like extortion to me. The mob uses the same strategy - "hey, pay us to protect you and we don't destroy your business".

    • I think the problem with a successful botnet protection racket is turf. When a gang runs a protection racket on the stores in a neighborhood, the understanding is that they're the only gang with access to that neighborhood. Unless there's a successful way for one botnet to counter another botnet, protection from paying a botnet not to attack won't work unless you're paying every botnet not to attack.
    • I see you've never heard of thisDanegeld. Here's a citation: https://en.wikipedia.org/wiki/... [wikipedia.org]
    • Comment removed based on user account deletion
    • by rhazz ( 2853871 )
      That's self-defeating. More people renting botnets leads to higher demand for botnets which leads to people creating more botnets because it's lucrative. While there is a theoretical limit to the amount of hardware out there that can be recruited into botnets, we are pretty far from that limit so things can get a lot worse.

      It's the same reason any civil society should ban paying ransoms to terrorists etc. While you may personally benefit, society loses because you are funding the problem.
    • LEO should rent the botnets and attack a honeypot, record the attacking IP addresses and require the ISP to notify/filter the owners.
  • by Anonymous Coward on Sunday December 18, 2016 @05:21PM (#53510041)

    Busting a few users sounds like the same failure that is the War On Drugs. They should go after the purveyors of these DDoS/stresser/booter services. Check out this recent list of them, all serviced by CloudFlare in the last year. This is who they need to arrest.

    alphastress.com, anonymous-stresser.net, aurastresser.com, beststresser.com, boot4free.com, booter.eu, booter.org, booter.xyz, bullstresser.com, buybooters.com, cnstresser.com, connectionstresser.com, crazyamp.me, critical-boot.com, cstress.net, cyberstresser.org, darkstresser.info, darkstresser.net, databooter.com, ddos-fighter.com, ddos-him.com, ddos.city, ddosbreak.com, ddosclub.com, ddostheworld.com, defcon.pro, destressbooter.com, destressnetworks.com, diamond-stresser.net, diebooter.com, diebooter.net, down-stresser.com, downthem.org, exitus.to, exostress.in, free-boot.xyz, freebooter4.me, freestresser.xyz, grimbooter.com, heavystresser.com, hornystress.me, iddos.net, inboot.me, instabooter.com, ipstresser.co, ipstresser.com, jitterstresser.com, k-stress.pw, layer-4.com, layer7.pw, legionboot.com, logicstresser.net, mercilesstresser.com, mystresser.com, netbreak.ec, netspoof.net, networkstresser.com, neverddos.com, nismitstresser.net, onestress.com, onestresser.net, parabooter.com, phoenixstresser.com, pineapple-stresser.com, powerstresser.com, privateroot.fr, purestress.net, quantumbooter.net, quezstresser.com, ragebooter.net, rawlayer.com, reafstresser.ga, restricted-stresser.info, routerslap.com, sharkstresser.com, signalstresser.com, silence-stresser.com, skidbooter.info, spboot.net, stormstresser.net, str3ssed.me, stressboss.net, stresser.club, stresser.in, stresser.network, stresser.ru, stresserit.com, synstress.net, titaniumbooter.net, titaniumstresser.net, topstressers.com, ts3booter.net, unseenbooter.com, vbooter.org, vdos-s.com, webbooter.com, webstresser.co, wifistruggles.com, xboot.net, xr8edstresser.com, xtreme.cc, youboot.net

    If CloudFlare would stop providing bulletproof hosting for criminals and spammers, the internet would be a better place. But CloudFlare apparently loves its criminal customers and the FBI loves CloudFlare. DDoS purveyors [ipaddress.com], terrorist websites [theepochtimes.com], malware distributors [malwareurl.com], CloudFlare seems to welcome them all to its hive of scum and villainy. Maybe it's time to revive the concept of the Usenet Death Penalty and apply it to all traffic to and from CloudFlare. They're the sewer of the internet and should be null routed and de-peered.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      This might be an unpopular comment, but CloudFlare also hosts prominent private bittorrent sites, and I'm glad that they do. Piracy is a problem, but the dysfunction we've had in government (in the US) means that copyright isn't going to be meaningfully reformed anytime soon. Without piracy sites, I doubt that services like Netflix or Apple Music would exist -- they exist now because competition made the business model of the music and film labels / studios obsolete. I think this is a good thing. Piracy
      • Comment removed based on user account deletion
      • by Rakarra ( 112805 )

        Without piracy sites, I doubt that services like Netflix or Apple Music would exist

        Netflix is an example of where we've slid backwards -- lost freedom compared to what we had before. Strongly-controlled DRM platform, streaming that's not on your terms, no ownership by the end user, and high fees from the content companies.

        Don't get me wrong, I like me some Netflix, but online streaming is an example of a power grab by the content companies that worked.

    • by Anonymous Coward

      See subject: For providing 102 means to FURTHER "arrest operations" of 8 botnets this week by your providing those DDoS'ing sites to block via custom hosts files (the means I use to protect others online as well as speed them up + make their connections more reliable & more anonymous)

      * MOD WHO I REPLIED TO UP TO +5 FOLKS!

      (I may or MAY NOT have had those already but it never hurts to build those into hosts for tonite's build as blocked here if not)

      APK

      P.S.=> Per my subject's termination above? This is

    • by ChoGGi ( 522069 )

      Free speech means taking the good with the bad.

    • by Anonymous Coward

      The war on drugs is significantly different in that drugs are addictive. The users of drugs are victims of a sort themselves.
      Arresting a botnet renter is much more like arresting people who try to hire hit-men. Both the purchaser and the purveyor should be arrested and treated harshly in these scenarios.

  • by Anonymous Coward

    Transmission of a Program, Information, Code, and Command to Cause Damage to a Protected Computer. -- Felony

    Maximum Term 10 year. Maximum Fine $250,000

  • Doh! Accessing a computer without the owners permission is a felony under 18 USC 1030 . Even if the vendors did not access/test their botnet, they are accessories-before-the-fact. DDoS on open, public ports may or may not be covered as contrary to 18 USC 1030 , however accessing all the little 'bots most certainly is.

  • I have to wonder why Sharma chose Chatango as a target. It looks like a pretty worthless target to me. There has to be more to this story than meets the eye so I'm left wondering if he was part employed by Chatango, got screwed by them, and decided to exact some revenge. If it was the case that Sharma got screwed by Chatango, I fail to see the problem here. I don't automatically think that just because someone is arrested or charged with a crime that they are guilty.
  • or anyone else you don't like. If I'm a hacker in a non-extradition country, I gain access to someone's system and I want them in jail, I just make it look like I'm selling (if I can't get access to their bank account, I can always create a promise of assistance with trafficking) them the use of my botnet, which I then use to attack their rivals. OTOH, if I want to buy the services of a botnet, then I want to first try and piss off hackers online, so I can later claim that my purchase was actually their doi
  • People like this should be made to pay back every penny of damage, and then put into a MANDATORY public service program for 2 years where they spend WEEKENDS (no weekends off!) teaching kids in poor neighborhoods how to code, or some other socially redeemable task. For every weekend he misses, he has to make up two more - and there is no financial remuneration. If he does it again, jail!
  • What did he do, pay with a credit card? Or with a BTC address publicly connected to himself?
  • What? (Score:4, Insightful)

    by Gumbercules!! ( 1158841 ) on Sunday December 18, 2016 @08:22PM (#53510975)
    The FBI estimate his attacks cost Chatango about $5,000.... so bail is set at $100,000 and fines are around $250,000 with 10 years in prison? What?!? Surely a payment of say - $5,000 or maybe even $10,000 to the effected company would be a more suitable response?
    • his maximum fine is 250,000 with 10 years prison. That is simply what the maximum is for the crime he committed, the judge then has between 0-250,000 to play with if he is found guilty. FYI, $5000 or $10,000 would be way to small in my opinion, the fine does need to be orders or magnitude greater. I would be thinking more $25k-$50k with 1-2 years jail.
  • What's the penalty for those allowing their 'computers' to be hijacked and used as part of a botnet?
  • by melting_clock ( 659274 ) on Monday December 19, 2016 @12:02AM (#53511853)

    There are very few applications for a DDoS attack that could be considered legal. The FBI, and other law enforcement agencies, should be arresting those that break the law. Maybe that will leave them less time to spy on the rest of us...

    There are more victims in a DDoS attack than the target. They can include:
    * The people or organisations with infected devices that launch the attack that can have actual costs due to the use of their connections.
    * Internet service providers.
    * The rest of us that just want to be able to surf the net without reduced performance.
    * Those that have a legitimate reason and right to access the target of the attack.

    I can't see any reason to feel sympathetic towards the customers of DDoS for hire that get caught. Lock them up like any other criminal.

  • DON'T DO THE CRIME IF YOU CAN'T DO THE TIME. I don't feel sorry for this guy.He is twenty five years old. What do you want him to have? A participation certificate instead. The reason I shell out good money for malware and anti-virus every year, is to keep assholes like this from messing up my computer. Put him in jail with Rachel from cardholder services. I used to think used car salesman were the bottom feeders, but telemarketers and people that just want to ruin things like this guy are the new bottom fe
    • Also this guy ends up in prison with hardened criminals he may find out there is an entirely new meaning to denial of service.
  • So as I read this, you get busted for *using* a botnet, not just renting one. If you fancy renting a botnet to dos yourself to collect the IPs so you contact all the participants to help them fix their stuff, I think you'd be okay ;-)

You know you've landed gear-up when it takes full power to taxi.

Working...